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Abstract 

An increasing number of systems, from pay-TV 
to electronic purses, rely on the tamper resistance 
of smartcards and other security processors. We 
describe a number of attacks on such systems — 
some old, some new and some that are simply lit¬ 
tle known outside the chip testing community. We 
conclude that trusting tamper resistance is problem¬ 
atic; smartcards are broken routinely, and even a 
device that was described by a government signals 
agency as ‘the most secure processor generally avail¬ 
able’ turns out to be vulnerable. Designers of secure 
systems should consider the consequences with care. 

1 Tamper proofing of cryptographic 

equipment 

Many early cryptographic systems had some pro¬ 
tection against the seizure of key material. Naval 
code books were weighted; rotor machine setting 
sheets were printed using water soluble ink; and 
some one-time pads were printed on cellulose nitrate, 
so that they would burn rapidly if lit [20]. 

But such mechanisms relied on the vigilance of 
the operator, and systems were often captured in 
surprise attacks. So cryptographic equipment de¬ 
signed in recent years has often relied on techni¬ 
cal means to prevent tampering. An example is 
the VISA security module, commonly used in banks 
to generate and check the personal identification 
numbers (PINs) with which customers authenticate 
themselves at automatic teller machines. It is ba¬ 
sically a safe containing a microcomputer that per¬ 
forms all the relevant cryptographic operations; the 
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safe has lid switches and circuitry which interrupts 
power to memory, thus erasing key material, when 
the lid is opened [27]. The idea is to deny the bank’s 
programmers access to customer PINs and the keys 
that protect them; so when a customer disputes a 
transaction, the bank can claim that the customer 
must have been responsible as no member of its staff 
had access to the PIN [6]. 

Evaluating the level of tamper resistance offered 
by a given product is thus an interesting and im¬ 
portant problem, but one which has been neglected 
by the security research community. One of the few 
recent articles that discuss the subject describes the 
design of the current range of IBM products and 
proposes the following taxonomy of attackers [1]: 

Class I (clever outsiders): They are often very 
intelligent but may have insufficient knowledge of 
the system. They may have access to only mod¬ 
erately sophisticated equipment. They often try 
to take advantage of an existing weakness in the 
system, rather than try to create one. 

Class II (knowledgeable insiders): They have 
substantial specialized technical education and 
experience. They have varying degrees of under¬ 
standing of parts of the system but potential ac¬ 
cess to most of it. They often have highly sophis¬ 
ticated tools and instruments for analysis. 

Class III (funded organisations): They are 

able to assemble teams of specialists with related 
and complementary skills backed by great funding 
resources. They are capable of in-depth analy¬ 
sis of the system, designing sophisticated attacks, 
and using the most advanced analysis tools. They 
may use Class II adversaries as part of the attack 
team. 
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The critical question is always whether an oppo¬ 
nent can obtain unsupervised access to the device 
[22], If the answer is no, then relatively simple mea¬ 
sures may suffice. For example, the VISA security 
module is vulnerable to people with occasional ac¬ 
cess: a service engineer could easily disable the tam¬ 
per protection circuitry on one of her visits, and 
extract key material on the next. But this is not 
considered to be a problem by banks, who typically 
keep security modules under observation in a com¬ 
puter room, and control service visits closely. 

But in an increasing number of applications, the 
opponent can obtain completely unsupervised ac¬ 
cess, and not just to a single instance of the cryp¬ 
tographic equipment but to many of them. This is 
the case that most interests us: it includes pay-TV 
smartcards, prepayment meter tokens, remote lock¬ 
ing devices for cars and SIM cards for GSM mobile 
phones [4]. Many such systems are already the tar¬ 
get of well funded attacks. 

So in what follows, we will assume that all at¬ 
tackers can obtain several examples of the target 
equipment. We will also ignore tampering at the 
circuit board level (though this has caused losses, 
for example, with prepaid electricity meters [7]) and 
rather concentrate on attacks aimed at recovering 
crypto key material stored in smartcards and other 
chip-level security processors. 

2 Breaking smartcards and micro¬ 
controllers 

The typical smartcard consists of an 8-bit micro¬ 
processor with ROM, EEPROM and RAM, together 
with serial input and output, all in a single chip that 
is mounted on a plastic carrier. Key material is kept 
in the EEPROM. 

Designers of EEPROM based devices face a prob¬ 
lem: erasing the charge stored in the floating gate of 
a memory cell requires a relatively high voltage. If 
the attacker can remove this, then the information 
will be trapped. 

Early smartcards received their programming 
voltage on a dedicated connection from the host in¬ 
terface. This led to attacks on pay-TV systems in 
which cards were initially enabled for all channels, 
and those channels for which the subscriber did not 
pay were deactivated by broadcast signals. By cov¬ 
ering the programming voltage contact on their card 
with tape, or by clamping it inside the decoder us¬ 
ing a diode, subscribers could prevent these signals 
affecting the card. They could then cancel their sub¬ 
scription without the vendor being able to cancel 
their service. 


Some cards are still vulnerable to this kind of at¬ 
tack, and it gives rise to a sporadic failure mode 
of some card-based public telephone systems: tele¬ 
phones where the relevant contact is dirty or bent 
may fail to decrement any user’s card. However, the 
cards used nowadays in pay-TV decoders generate 
the required 12 V from the normal 5 V power supply 
using an on-chip oscillator and diode/capacitor net¬ 
work. This can push up the cost of an attack, but 
does not make it impossible: large capacitors can 
be identified under a microscope and destroyed with 
lasers, ultrasonics or focused ion beams. A chip pre¬ 
pared in this way can be investigated at will without 
the risk of erasing the EEPROM. 

So our task is to classify the various logical and 
physical attacks on security processors and get some 
idea of the cost involved. 

2.1 Non-invasive attacks 

Unusual voltages and temperatures can affect 
EEPROM write operations. For instance, for 
the PIC16C84 microcontroller, a trick has become 
widely known that involves raising VCC to VPP - 
0.5 V during repeated write accesses to the security 
bit. This can often clear it without erasing the re¬ 
maining memory. 

For the DS5000 security processor, a short voltage 
drop sometimes released the security lock without 
erasing secret data. Processors like the 8752 that 
can be used with both internal and external mem¬ 
ory but that limit the switch between them to resets 
have been read out using low voltages to toggle the 
mode without a reset. Low voltage can facilitate 
other attacks too: at least one card has an on-board 
analogue random number generator, used to man¬ 
ufacture cryptographic keys and nonces, which will 
produce an output of almost all l’s when the supply 
voltage is lowered slightly. 

For these reasons, some security processors have 
sensors that cause a reset when voltage or other envi¬ 
ronmental conditions go out of range. But any kind 
of environmental alarm will cause some degradation 
in robustness. For example, one family of smart- 
card processors was manufactured with a circuit to 
detect low clock frequency and thus prevent single¬ 
stepping attacks. However, the wild fluctuations in 
clock frequency that frequently occur when a card 
is powered up and the supply circuit is stabilising, 
caused so many false alarms that the feature is no 
longer used by the card’s operating system. Its use is 
left to the application programmer’s discretion. Few 
of them bother; those who do try to use it discover 
the consequences for reliability. So many cards can 
be single-stepped with impunity. 
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For similar robustness reasons, the under-voltage 
and over-voltage detection circuitry in many devices 
will not react to transients. So fast signals of various 
kinds may reset the protection without destroying 
the protected information, and attacks of this kind 
are now known in the community for quite a number 
of devices. 

Power and clock transients can also be used in 
some processors to affect the decoding and execu¬ 
tion of individual instructions. Every transistor and 
its connection paths act like an RC element with a 
characteristic time delay; the maximum usable clock 
frequency of a processor is determined by the max¬ 
imum delay among its elements. Similarly, every 
flip-flop has a characteristic time window (of a few 
picoseconds) during which it samples its input volt¬ 
age and changes its output accordingly. This win¬ 
dow can be anywhere inside the specified setup cycle 
of the flip-flop, but is quite fixed for an individual 
device at a given voltage and temperature. 

So if we apply a clock glitch (a clock pulse much 
shorter than normal) or a power glitch (a rapid tran¬ 
sient in supply voltage), this will affect only some 
transistors in the chip. By varying the parameters, 
the CPU can be made to execute a number of com¬ 
pletely different wrong instructions, sometimes in¬ 
cluding instructions that are not even supported by 
the microcode. Although we do not know in advance 
which glitch will cause which wrong instruction in 
which chip, it can be fairly simple to conduct a sys¬ 
tematic search. 

A typical subroutine found in security processors 
is a loop that writes the contents of a limited mem¬ 
ory range to the serial port: 

1 b = answer_address 

2 a = answer_length 

3 if (a == 0) goto 8 

4 transmit(*b) 

5 b = b + 1 

6 a = a - 1 

7 goto 3 

8 ... 

We can look for a glitch that increases the pro¬ 
gram counter as usual but transforms either the con¬ 
ditional jump in line 3 or the loop variable decrement 
in line 6 into something else. 

Finding the right glitch means operating the card 
in a repeatable way. All signals sent to it have to 
arrive at exactly the same time after reset for ev¬ 
ery test run. Many glitches can be tested for every 
clock cycle, until one of them causes an extra byte 


to be sent to the serial port. Repeating it causes the 
loop to dump the remaining memory, which if we 
are lucky will include the keys we are looking for. 

Output loops are just one target for glitch attacks. 
Others are checks of passwords, access rights and 
protocol responses, where corruption of a single in¬ 
struction can defeat the protection. A possible soft¬ 
ware countermeasure might be to avoid single-point - 
of failure instructions. This was common enough in 
the old days of unreliable hardware: a senior Cam¬ 
bridge computer scientist recalls that in the 1950’s a 
prudent system programmer was someone who, hav¬ 
ing masked off three bits, would verify that the result 
did not exceed seven! 

Hardware countermeasures include independent 
internal clock generators that are only PLL synchro¬ 
nized with the external reference frequency. 

2.2 Physical attacks 

Physical attacks on some microcontrollers are al¬ 
most trivial. For example, the lock bit of several 
devices with on-chip EPROM can be erased by fo¬ 
cusing UV light on the security lock cell, which is 
located sufficiently far from the rest of memory. 

Current smartcards are slightly harder to attack, 
but not very much harder. They generally have little 
to prevent direct access to the silicon; the marketing 
director of a smartcard vendor claimed that there 
was simply no demand from their users for anything 
really sophisticated [21]. The most that appears to 
be done is a capacitive sensor to detect the continued 
presence of the passivation layer [23], or an optical 
sensor under an opaque coating [3]. Similar robust¬ 
ness considerations apply to these detectors as to the 
ones discussed above; they are often not used, and 
when they are, they are fairly easy to detect and 
avoid. 

Anyway, the typical chip module consists of a thin 
plastic basis plate of about a square centimetre with 
conductive contact areas on both sides. One side is 
visible on the final card and makes contact with the 
card reader; the silicon die is glued to the other side, 
and connected using thin gold or aluminium bond¬ 
ing wires. The chip side of the plastic plate is then 
covered with epoxy resin. The resulting chip mod¬ 
ule is finally glued into the card, which is available 
in ISO credit card format, in miniature format for 
some GSM systems, or in the case of some prepay¬ 
ment electricity meter systems and pay-TV systems 
resembles a small plastic key. 

Removing the chip is easy. First, we use a sharp 
knife or hand lathe to cut away the plastic behind 
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Figure 1: Fully functional smartcard processor with 
covering plastic removed for microprobing experi¬ 
ments. All tools necessary for this preparation were 
obtained for US$30 in a pharmacy. 

the chip module until the epoxy resin becomes visi¬ 
ble. Now we settle a few drops of fuming nitric acid 
(>98% HNO 3 ) on the resin and wait a few minutes 
until some of it has dissolved (the process can be 
accelerated by heating up the acid with an infra-red 
radiator). Before the acid dissolves too much epoxy 
and gets solid, we wash acid and resin away by shak¬ 
ing the card in acetone. We repeat this procedure 
around five to ten times until the silicon surface of 
the die is fully exposed. The chip can then be washed 
and will be fully functional unless one of the bonding 
wires has been damaged. 

Functional tests with pay-TV and prepaid phone 
smartcards have shown that EEPROM content is 
not affected by hot nitric acid. No knowledge be¬ 
yond school chemistry is necessary; the materials 
are easily available in any chemistry lab, and several 
undergraduate students have recently reported the 
successful application of this method on an Internet 
mailing list dedicated to amateur smartcard hack¬ 
ing. Fuming nitric acid is an aggressive oxidant and 
should be handled carefully (especially when using 
flammable liquids such as acetone), but it does not 
affect silicon, silicon oxide, silicon nitride, or gold as 
used on the chip and its contacts. The aluminium 
used in the metal layer of the chip is covered at once 
with a thin oxide layer and is also unaffected. Nitric 
acid is commonly used anyway to clean chip surfaces 
during manufacture. 

There are commercial IC package removal ma¬ 
chines used in process quality control, which expose 
the chip to an HNO 3 vapor stream that not only dis¬ 
solves the resin but also transports away the waste 
products. This leaves a somewhat cleaner die sur¬ 
face than our manual method, but these machines 


use a lot of acid and need to be cleaned after use. 
So even professional chip analysis laboratories ex¬ 
tract the chip manually if only a few packages have 
to be opened. 

Most chips have a passivation layer of silicon ni¬ 
tride or oxide, which protects them from environ¬ 
mental influences and ion migration. This is not af¬ 
fected by nitric acid; chip testers typically remove it 
using dry etching with hydrogen fluoride, a process 
that is not as easily performed by amateur hackers. 

But dry etching is not the only option. Another 
approach is to use microprobing needles that remove 
the passivation just below the probe contact point 
using ultrasonic vibration. Laser cutter microscopes 
commonly used in cellular biology laboratories have 
also been used to remove the passivation locally. 
Some testing laboratories have sets of nine micro¬ 
probes so that the card bus can be read out during 
real time operation [ 12 ], 

It is also normal to remove the passivation be¬ 
fore using an electron beam tester to access on-chip 
signals, because the secondary electrons emitted by 
the chip surface accumulate a positive charge on the 
passivation layer which causes the signals to disap¬ 
pear after a few seconds. One might therefore think 
that such attacks would require dry etching facili¬ 
ties. However, in some experiments with an elec¬ 
tron beam tester, we have found that the charge 
accumulation effect is less serious when the chip is 
still covered with a thin dirt layer of HNO 3 and 
resin remains, which is probably weakly conductive. 
We suggest that a suitable weakly conductive layer 
might be deposited on top of the passivation layer as 
an alternative way of preventing the charge build-up. 

2.3 Advanced attack techniques 

The techniques described above have been suc¬ 
cessfully used by class I attackers — amateur pav- 
TV hackers, students and others with limited re¬ 
sources. We will now briefly describe some of the 
techniques available in professionally equipped semi¬ 
conductor laboratories, of which there are several 
hundred worldwide. Some of these are situated in 
universities (three in the UK, for example), and it 
has happened that class I attackers get access to pro¬ 
fessional equipment in the course of student projects. 

A recent article [11] gives an overview of a tech¬ 
nique developed for reverse engineering chips at the 
Cavendish Laboratory in Cambridge. The authors 
of that paper first developed techniques for cleanly 
etching away a layer of a chip at a time. One in¬ 
novation is a technique to show up N and P doped 
layers using the Schottky effect: a thin film of a 
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metal such as gold or palladium is deposited on the 
chip creating a diode which can be seen with an elec¬ 
tron beam. Images of successive layers of a chip are 
then fed into a PC with image processing system 
software that reduces the initially fuzzy image to a 
clean polygon representation and identifies common 
chip features. 

The system has been tested by reverse engineering 
the Intel 80386 and a number of other devices. The 
80386 took two weeks, and it usually takes about six 
instances of a chip to get it right. The output can 
take the form of a mask diagram, a circuit diagram 
or even a list of the library cells from which the chip 
was constructed. 

Once the layout and function of the chip are 
known, there is an extremely powerful technique de¬ 
veloped by IBM for observing it in operation, with¬ 
out even having to remove the passivation layer. The 
tester places a crystal of lithium niobate over the fea¬ 
ture whose voltage is to be monitored. The refrac¬ 
tive index of this substance varies with the applied 
electric field, and the potential of the underlying sil¬ 
icon can be read out using an ultraviolet laser beam 
passed through the crystal at grazing incidence. The 
sensitivity of this technique is such that a 5 V signal 
of up to 25 MHz can be read [30], and we understand 
that it is a standard way for well funded laboratories 
to recover crypto keys from chips of known layout. 
When attacking a smartcard, for example, we would 
read the EEPROM output amplifiers. 

The response of the protection community to at¬ 
tacks of this kind has been to develop ‘conformeal 
glues’, chip coatings that are not merely opaque and 
conductive but which also strongly resist attempts 
to remove them, usually damaging the underlying 
silicon in the process. These coatings are referred to 
in a FIPS standard [17] and are widely used by the 
U.S. military, but are not generally available. 

In addition to chip coatings, silicon features may 
be used to obscure the design. We have heard of de¬ 
sign elements that look like a transistor, but are in 
reality only a connection between gate and source; 
and 3-input NORs which function only as 2-input 
NORs. Such copy traps may use holes in isolating 
layers or tricks done in the diffusion layer with ion 
implantation. However, the layer etching and Schot- 
tky techniques described above can detect them. 

Another possibility is to introduce complexity 
into the chip layout and to use nonstandard cell li¬ 
braries. However the chip still has to work, which 
limits the complexity; and nonstandard cells can be 
reconstructed at the gate level and incorporated in 
the recognition software. 


A more systematic approach was employed in the 
U.S. government’s Clipper chip. This had a fusible 
link system in which the links that created a clas¬ 
sified encryption algorithm and a long term device 
key from an unclassified mask were fused after fabri¬ 
cation, and were made of amorphous silicon to make 
microscopy more difficult. In addition to this, the 
surface of the chip was ‘salted’ with oscillators to 
make electromagnetic sensor attacks more compli¬ 
cated. 

Details of the fusible link technology can be found 
in a paper in the relevant data book [18], and from 
the scanning electron micrographs there, it is clear 
that — given enough effort — the secret informa¬ 
tion can be recovered by sectioning the chip (this 
technique has been used by the Cambridge team on 
obscure features in other chips). We are reliably in¬ 
formed that at least one U.S. chipmaker reverse en¬ 
gineered the Clipper chip shortly after its launch. 
However the attacks that discredited the Clipper 
chip used protocol failures rather than physical pen¬ 
etration [10] — a topic to which we will return later. 

Sectioning is not the only way to reverse engineer 
a chip whose surface is well protected. For example, 
a recently declassified technique invented at Sandia 
National Laboratories involves looking through the 
chip from the rear with an infra-red laser using a 
wavelength at which the silicon substrate is trans¬ 
parent. The photocurrents thus created allow prob¬ 
ing the device’s operation and identification of logic 
states of individual transistors [2]. 

The use of sectioning leads us to a more gen¬ 
eral, and relatively unexplored, topic — attacks that 
involve actively modifying the target chip rather 
than merely observing it passively. It is well known 
that active opponents can mount much more severe 
attacks on both cryptographic protocols and algo¬ 
rithms than passive opponents can, and the same 
turns out to be true when reverse engineering chips. 

We understand, for example, that production at¬ 
tacks carried out by some pay-TV pirates involve the 
use of a focussed ion beam (FIB) workstation. This 
device can cut tracks in a chip’s metallisation layer, 
and deposit new tracks or isolation layers. It can 
also implant ions to change the doping of an area 
of silicon, and it can even build vias to conductive 
structures in the lowest layers of the chip. These 
machines cost several million U.S. dollars, but low- 
budget attackers can rent time on them from various 
semiconductor companies. 

Armed with such a tool, attacks on smartcards 
become much simpler and more powerful. A typ¬ 
ical attack involves disconnecting almost all of the 
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X old connection opened -«— new connection established 


Figure 2: Read-out attack modifications on a secu¬ 
rity processor performed with a focused ion beam 
workstation allow easy access to secret EEPROM 
content with a single microprobing needle. 

CPU from the bus, leaving only the EEPROM and 
a CPU component that can generate read accesses. 
For example, the program counter may be left con¬ 
nected in such a way that the memory locations will 
be accessed in order as the device is clocked (see 
Fig. 2). Once this has been done, the attacker needs 
only a single microprobing needle or electro-optical 
probe to read the entire EEPROM contents. This 
makes the program much easier to analyse than in 
passive attacks, which typically yield only an execu¬ 
tion trace; it also avoids the considerable mechanical 
difficulties of keeping several probes simultaneously 
located on bus lines that are perhaps a micrometre 
wide. 

In conclusion, it is imprudent to assume that the 
design of silicon chips, or the information stored in 
them, can be kept from a capable motivated oppo¬ 
nent. So how can we protect key material from such 
an opponent? 

2.4 Advanced protection techniques 

One application in which capable motivated op¬ 
ponents may be assumed, and where billions of dol¬ 
lars are spent on thwarting them, is the security 
of nuclear weapons. The threat model here is un¬ 
equivocally class III — rogue states fronted by “ter¬ 
rorist” commando teams operating in cahoots with 
subverted military personnel. The U.S. A. has led the 
development of a control technology, now partially 
shared with other nuclear and near-nuclear nations, 
and the following account has been pieced together 
from a number of open sources. 

Following the Cuban missile crisis, there was con¬ 
cern that a world war could start by accident — for 
example, by a local commander under pressure feel¬ 
ing that ‘if only they knew in Washington how bad 
things were here, they would let us use the bomb’. 


There was also concern that U.S. nuclear weapons in 
allied countries might be seized by the ally in time 
of tension, as U.S. forces there had only token custo¬ 
dial control. These worries were confirmed by three 
emergency studies carried out by Jerome Wiesner, 
the presidential science adviser. 

President Kennedy’s response was National Se¬ 
curity Action Memo no. 160, which ordered that 
America’s 7,000 nuclear weapons then in countries 
from Turkey to Germany should be got under posi¬ 
tive control, or got out [25]. 

The U.S. Department of Energy was already 
working on safety devices for nuclear weapons, the 
basic principle being that a unique aspect of the en¬ 
vironment had to be sensed before the weapon would 
arm. For example, missile warheads and some free- 
fall bombs expected to experience zero gravity, while 
artillery shells expected to experience an accelera¬ 
tion of 20,000 g. There was one exception though: 
atomic demolition munitions. These are designed to 
be taken from their storage depots to their targets 
by jeep or helicopter, or even hand carried by spe¬ 
cial forces, and then detonated using time fuses. So 
there is no scope for a unique environmental sensor 
to prevent accidental detonation. 

The solution then under development was a se¬ 
cret arming code, which activated a solenoid safe 
lock buried deep in the plutonium pit at the heart 
of the weapon. The main engineering problem was 
that when the lock was exposed, for example by a 
maintenance engineer replacing the power supply, 
the code might become known (as with the VISA 
security module mentioned above). So it was not 
acceptable to have the same code in every weapon, 
and group codes had to be used; the same firing code 
would be shared by only a small batch of warheads. 

But, following the Kennedy memo, it was pro¬ 
posed that all nuclear bombs should be protected 
using code locks, and that there should be a ‘univer¬ 
sal unlock’ action message that only the president 
or his legal successors could give. How could this 
be securely translated to a large number of individ¬ 
ual firing codes, each of which would enable a small 
batch of weapons? The problem became worse when 
the Carter administration’s policy of ‘measured re¬ 
sponse’ created a need for a wide variety of ‘selective 
unlock’ messages, giving the president options such 
as enabling the use of nuclear artillery and air de¬ 
fence weapons against a Soviet incursion into Ger¬ 
many. It became worse still with concern that a 
Soviet decapitation strike against the U.S. national 
command authority might leave the arsenal intact 
but useless. As is now well known, the solution 
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lies in the branch of cryptomathematics known as 
‘secret sharing’ [24], whose development it helped 
to inspire, and which enables weapons, commanders 
and options to be linked together with a complexity 
limited only by the available bandwidth. 

In modern weapons the solenoid safe locks have 
been superseded by PALs — prescribed action links 
— about whose design details we have been able to 
find no useful open source material. However, it is 
known that PALs are considered sufficient only when 
they can be buried in the core of a large and com¬ 
plex weapon. With simple weapons (such as atomic 
demolition munitions) it is not considered feasible to 
deny access to a capable motivated opponent. These 
weapons are therefore stored in sensing containers 
called PAPS (prescribed action protective system) 
which provide an extra layer of protection. 

Both the big-bomb and PAPS-enhanced systems 
include penalty mechanisms to deny a successful 
thief access to a usable weapon. These mechanisms 
vary from one weapon type to another but include 
gas bottles to deform the pit and hydride the plu¬ 
tonium in it, shaped charges to destroy components 
such as neutron generators and the tritium boost, 
and asymmetric detonation that results in pluto¬ 
nium dispersal rather than yield. Whatever the com¬ 
bination of mechanisms used in a given design, it is 
always a priority to destroy the code in the switch; 
it is assumed that a renegade government prepared 
to deploy “terrorists” to steal a shipment of bombs 
would be prepared to sacrifice some of the bombs 
(and some technical personnel) to obtain a single 
serviceable weapon. 

To perform authorised maintenance, the tamper 
protection must be disabled, and this requires a sep¬ 
arate unlock code. The devices that hold the vari¬ 
ous unlock codes — for servicing and firing — are 
themselves protected in similar ways to the weapons. 
We understand, for example, that after tests showed 
that 1 mm chip fragments survived the protective 
detonation of a control device carried aboard air¬ 
borne command posts, the software was rewritten 
so that all key material was stored as two separate 
components, which were kept at addresses more than 
1 mm apart on the chip surface. 

This highlights the level of care that must be 
taken when developing security processors that are 
to withstand capable attack. This care must extend 
to the details of implementation and operation. The 
weapons testing process includes not just indepen¬ 
dent verification and validation, but hostile ‘black 
hat’ penetration attempts by competing laboratories 
or agencies. Even then, all practical measures are 


taken to prevent access by possible opponents. The 
devices (both munition and control) are defended in 
depth by armed forces; there are frequent zero-notice 
challenge inspections; and staff may be made to re¬ 
sit the relevant examinations at any time of the day 
or night. 

These mechanisms and procedures have so far 
succeeded in preventing rogue governments from 
stealing (as opposed to making) atomic weapons. 

The nuclear business also supplies the only ex¬ 
amples known to us of tamper resistant packages 
designed to withstand a class III opponent who 
can obtain unsupervised physical access. These are 
the missile sensors developed to verify the SALT II 
treaty [26] — which was never deployed — and the 
seismic sensor package developed for test ban treaty 
verification, which was. In this latter system, the 
seismic sensors are fitted in a steel tube and inserted 
into a drill hole that is backfilled with concrete. The 
whole assembly is so solid that the seismometers 
themselves can be relied upon to detect tampering 
events with a fairly high probability. This physical 
protection is reinforced by random challenge inspec¬ 
tions. 

So if systems have to be protected against class III 
opponents, we might hazard the following summary: 

• if our goal is to merely detect tampering with a 
positive probability (as with treaty verification), 
then we can allow unsupervised access provided 
we are allowed to use a massive construction and 
to perform challenge inspections; 

• if we wish to prevent the loss of a cryptographic 
key with near certainty (as with firing codes), 
then we had better use explosives and we had 
better also guard the device. 

The above analysis convinced us that military 
agencies have limited confidence in the ability of 
tamper-resistant devices (and especially portable 
ones) to withstand a class III opponent with unsu¬ 
pervised access. Having read an early draft of this 
paper, a senior agency official confirmed that chip 
contents cannot be kept from a capable motivated 
opponent; at most one can impose cost and delay. 
A similar opinion was ventured by a senior scientist 
at a leading chip maker. 

Furthermore, the expense and inconvenience of 
the kind of protection used in the nuclear industry 
are orders of magnitude greater than even major 
banks would be prepared to tolerate. So what is 
the state of the art in commercial security proces¬ 
sor design? They may be vulnerable to a class III 
opponent, but how about class II and class I? 


7 



3 Commercial security processors 

Many commercial systems use either security 
module or smartcard technology. However, a grow¬ 
ing number of designs consist of a composite package 
containing processor, memory, tamper detection cir¬ 
cuitry and a battery. 

An early example, whose design rationale was 
published in detail, is the p ABYSS coprocessor de¬ 
veloped by IBM. A variety of tamper resistant pack¬ 
ages were tested for ease of penetration and ease 
of manufacturing, including stannic oxide lines on 
glass, piezo-electric sheets and a number of wire 
winding techniques. The designers settled on a 
four layer wrapping of 40 gauge (80 pin diameter) 
nichrome wire surrounding the processor, battery, 
memory and sensor circuitry, and embedded in a 
hard, opaque epoxy filled with silica to make it 
harder to machine and more likely to crack under 
UV laser ablation [28] [29]. 

This appears to be a promising technology, and 
increasingly so as circuit sizes and power consump¬ 
tion shrink. The //ABYSS design protected 260 cm 2 
of card circuitry, but much less is used in many re¬ 
cent designs. 128 kilobyte SRAM chips are available 
today with room temperature data retention cur¬ 
rents of less than 1 p A. A small 3 V lithium cell can 
easily provide this for a decade. 

Many aggressive chemicals used to remove opaque 
chip packages (such as fuming nitric acid) have a 
low electrical resistance and can easily be detected 
as long as battery power is available; indeed, they 
will often cause critical breaks and short-circuits di¬ 
rectly. Power supply networks could be made from a 
variety of different conductive and isolating materi¬ 
als such that practically any useful chemical solvent 
will cause at least one part to fail. 

Suitable packaging can make it difficult for the 
attacker to strip away the protection one layer at 
a time, so that a successful attack might require 
a highly laborious process of manually shorting 
out the protective wire winding, guided by X-rays 
and precise measurements of the voltage at various 
points along its length. 

There are some subtleties though. One might 
think that the protection mechanisms only have to 
deactivate the power supply; but low-power SRAM 
chips remember bit values without a supply voltage 
at room temperature reliably for many seconds. By 
cooling the whole circuit with liquid nitrogen or he¬ 
lium, an attacker can extend the reliable power-off 
memory time to minutes or even hours, which could 
be enough to disable the alarm system and reapply 
power. Longterm exposure to a constant bit pattern 


can cause some SRAM cells to adapt their prefered 
power-up state accordingly, an effect that can re¬ 
main for several days without any supply voltage 
[19]. Possible countermeasures include SRAM cells 
with a well-defined power-up behavior. 

Recent examples of battery-backed security mod¬ 
ule assemblies are the IBM Transaction Security Sys¬ 
tem [1] and the Dallas Semiconductor DS5000 series 
[16]. The latter devices have been described by a 
European signals security agency as the most secure 
processors available on general sale; we will now re¬ 
port a successful attack on them. 

3.1 The Dallas DS5002FP Secure Mi¬ 
crocontroller 

One might want to make the tamper resistant 
module as small as possible, since hermetic sealing 
limits power dissipation, because larger packages are 
more vulnerable to false alarms, and for simple cost 
reasons. 

But many applications require much more RAM 
than can be conveniently included in a small pack¬ 
age, and one established technique is bus encryp¬ 
tion [13] [14] [15]. The CPU contains hardware for 
on-the-fly encryption of both the external address 
and the data bus. External RAM contains only en¬ 
crypted data stored at encrypted addresses. The 
secret key is stored in a special battery buffered reg¬ 
ister on the CPU chip. 

The Dallas Semiconductor DS5002FP microcon¬ 
troller uses this bus encryption strategy. This Intel 
8051 compatible processor is used in a number of 
financial transaction terminals and pay-TV access 
control systems to store secret keys and execute con¬ 
fidential cryptographic algorithms. On-chip boot- 
loader firmware allows users to upload unencrypted 
software; it is then encrypted and stored in the ex¬ 
ternal memory. The secret key is unique to each 
device, which has a special self-destruct pin that al¬ 
lows external alarms to erase it. A special version 
(DS5002FPM) features an additional metal layer die 
top coating designed to prevent microprobe attacks. 

According to the manual, this layer is a “com¬ 
plex layout that is interwoven with power and ground 
which are in turn connected to logic for the Encryp¬ 
tion Key and Security Logic. As a result, any at¬ 
tempt to remove the layer or probe thi'ough it will 
result in the erasure of the security lock and/or the 
loss of encryption key bits'’. Additional security is 
provided by pseudo-random dummy accesses per¬ 
formed on the external bus whenever the CPU core 
does not access external memory. In addition, 48 
bytes including the reset and interrupt vectors are 



located on chip. Access to them also results in ex¬ 
ternal dummy RAM access cycles, such that anyone 
observing the external bus cannot know when the 
internal RAM is accessed. 

The security features of the DS5002FP are at first 
glance quite impressive and the manufacturer de¬ 
scribes them as “the most sophisticated security fea¬ 
tures available in any microcontroller'’. 

The chip uses two block ciphers that are loosely 
modelled on DES. The first encrypts addresses and 
acts on 15-bit blocks; the second encrypts data and 
acts on 8-bit blocks. The key of the second cipher is 
salted with the address of the byte being encrypted, 
but its small block size (which was no doubt dictated 
by the fact that the controller is byte oriented) turns 
out to be a useful feature for the attacker. 

On closer examination, the algorithms show sta¬ 
tistical weaknesses that might allow key recovery 
using differential cryptanalysis. We have not stud¬ 
ied this in detail yet. In any case the algorithm 
strength is a purely economic issue; more rounds 
can buy more strength, but at a cost in either clock 
frequency or transistor count. Much more interest¬ 
ing is a weakness of the bus encryption system that 
is independent of the quality of the encryption algo¬ 
rithms. 

3.2 Breaking the Dallas chip 

One of us (Kuhn) has designed and demonstrated 
an effective practical attack that has already yielded 
all the secrets of some DS5002FP based systems 
used for pay-TV access control and also broken a 
code lock provided as a challenge by the German 
Federal Agency for Information Technology Security 
(BSI). The attack requires only a normal personal 
computer, a special read-out circuit built from stan¬ 
dard electronic components for less than US$100, 
and a logic analyzer test clip for around US$200. 
It was performed in a student hardware laboratory 
at the University of Erlangen-Niirnberg using only 
common laboratory tools. Designing the hardware 
and software and performing the experiments lead¬ 
ing to the final approach required less than three 
months. Thus, in the IBM taxonomy, this attack 
was carried out by a class I opponent. 

The basic idea is simple, but was clearly not con¬ 
sidered by the designers or evaluators of this proces¬ 
sor. We call it the “cipher instruction search attack”: 
it works by feeding the CPU with suitably chosen 
enciphered instructions and looking to see which of 
the resulting plaintext instructions we can recognise 
from their effects. 

For example, we can recognise the three byte in¬ 
struction 


MOV 90h, #42h 

encoded 75h 90h 42h, as it outputs byte value 42h on 
parallel port PI (address 90h) two bus access cycles 
later. 

So we reset the CPU and wait until some tar¬ 
get instruction is about to be fetched. Then our 
read-out hardware replaces it, and our control soft¬ 
ware observes the reaction for a few more clock cy¬ 
cles. Then we repeat the procedure — which we can 
do over 300 times per second — and systematically 
work through all 2 16 combinations for the first two 
encrypted instruction bytes. 

We eventually find a two byte combination that 
sends a bijective function of the following byte to 
the parallel port. Assuming the first two bytes are 
the ciphertext corresponding to 75h 90h (which has 
to be confirmed by further tests), this gives the data 
bus decryption function at the address from which 
the third instruction byte was fetched. By testing 
all 2 8 values for this byte, we can tabulate the data 
decryption for one address. 

Now we repeat the whole process. However this 
time we will search for a one-byte no-operation com¬ 
mand (NOP) followed by the same MOV instruction 
as before. This effectively increases by one the ad¬ 
dress from which the third MOV instruction byte 
will be fetched. 

Although we are now searching for a combina¬ 
tion of four encrypted bytes representing two ma¬ 
chine instructions, the search complexity has not 
been increased. We know already the correct en¬ 
crypted value for one byte (port address 90h) from 
the previous tabulation of the encryption function 
at this address. The first instruction does not have 
to be a NOP, as any one-byte instruction that does 
not affect the following MOV will do. So the second 
search loop requires considerably less than 2 16 iter¬ 
ations — in fact we typically need less than 2,500 
attempts. 

This search process becomes steadily faster as 
more addresses are tabulated, and we quickly tabu¬ 
late the encryption function for a number of consecu¬ 
tive but still unknown addresses. We are now able to 
encrypt and send to the processor a sequence of ma¬ 
chine instructions that simply dumps all the memory 
and special registers to one of the I/O ports. 

The attack is in reality somewhat more compli¬ 
cated than presented in this brief overview. The 
details will be presented in a separate publication, 
together with a discussion of possible countermea¬ 
sures for future bus encryption based systems. Our 
point is that a class I attacker could circumvent the 
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physical protection of the ‘top’ commercial system 
with modest effort. As the attack did not exploit ei¬ 
ther physical or cryptographic weaknesses, it might 
be considered a kind of protocol attack [ 8 ]. 

4 Conclusion 

It is prudent engineering practice to avoid single 
points of failure, and especially so where the likeli¬ 
hood of failure is unknown. This makes it all the 
more remarkable that the tamper resistance claims 
made for smartcards and other commercial secu¬ 
rity processors have gone untested for so long. The 
reader will by now be convinced that these claims 
should be treated with circumspection. 

Public key techniques offer some solace, as the 
number of universal secrets can be greatly reduced 
— ideally, to a small number of certification keys, 
that can then be protected in depth. However, pub¬ 
lic key protocols have their own problems [9], and 
we should never forget that the great majority of 
actual security failures result from simple blunders 
in design, construction and operation [ 6 ] [7]. There 
is no silver bullet. 

A prudent engineer will see to it that the pene¬ 
tration of a moderate number of accessible devices, 
such as smartcards or payment terminals, will not 
be disastrous for the system. As most current elec¬ 
tronic wallet systems use symmetric cryptography 
with universal secrets stored in retailers’ terminals, 
they should be designed to keep on working after 
these secrets have been compromised — such as 
by supporting a fallback processing mode similar to 
that for credit cards, with full reconciliation, intru¬ 
sion detection, hot lists and security recovery. 

But although it is necessary to design commer¬ 
cial security systems with much more care, it is not 
sufficient. They must also be subjected to hostile 
testing. Readers may compare the nuclear weapons 
community’s insistence on independent verification 
and validation with the aversion of the banking in¬ 
dustry to any hostile review of their systems [5]. It is 
encouraging to note that some other sectors, such as 
the prepayment electricity meter industry, are start¬ 
ing to recognise the value of hostile review [7]. Other 
industries, such as pav-TV, got their hostile review 
once their systems were fielded. 
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